alien51

For several weeks now, my Cpanel logs are getting flooded by probing attacks from apparent hackers who seem to be searching if you have wordpress or joomla installed on your domains.

And they come from all sorts of countries. My banned ip address list on my htaccess is so long already. It's eating up too much of my time just checking the logs each day for all my domains. I sometimes wonder whether these are zombie machines (users who had no idea their computers are infected and being used for probing attacks).

maxeaus

Botnets, is that what you are saying?

__________________
Drez Media

vc

Use Drupal

__________________
vanilla.me - New/Transfer/Renew: $15 - The sweetest ccTLD Registrar

lothos

it's automated, but not necessarily a zombie machine.

__________________
Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
Hostgator Coupons | Godaddy Coupons | Namecheap Coupons | Name.com Coupons | DynaDot Coupons | BigRock coupons
Domain Censorship Internet censorship issues

alien51

I'm not sure if being "automated" means the guy who owns the machine where the IP address originated was unaware that the probing came from his IP.

I'm not sure anymore if i need to block all these IP addresses, or just let the 403 errors as they are (my htaccess settings prevent execution of php scripts in certain directories).

I've been blocking IP addresses almost everyday.

CrackFeed.Com

Drupal sucks too. Use custom

defaultuser

Use Bricks and Mortar

__________________

CrackFeed.Com

loll would perform faster than Drupal and Joomla

shootdatarget

nice topic bro, even my VPS been port scanned at least 20 times per weeks and sometimes SQL injections, luckily i use Mode security and Csf at my WHM so it automatic block ips, cannot imagine if they use my vps for thier DDOS attack scheme which what that always happen around us ><

__________________

herly

Can only pray don't let hackers target. Because that's a very fearful thing, what will become of very bad.

__________________
yourshoeshow shoes of city.charmjerseys,clothes of city.

Peter

20 a week? That is extremely low. In the past I have had my server attacked. It was not the attack that brought the server down it was the firewall. So many IP's were being blocked the server could no longer handle the size of the file that the blocked IP's were stored in.

---------- Post added at 12:09 PM ---------- Previous post was at 12:06 PM ----------

It is almost certainly automated. Don't assume however that all checks are carried out by the same people. Many people out there are trying to exploit vulnerable scripts.

1 thing that does surprise me by the sound of it they are manually scanning for wordpress etc. If I were doing this I would personally hook into search engine results to find wordpres installations.

__________________
Manage your portfolio using my new Domain Portfolio Management script.
Securing Your Domain Name From Theft

shootdatarget

0.0, wow that's kindda frightening knowing that the firewall will crash bcos of too much of log file,
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

btw about the scanning of wordpress sites, maybe bcos hackers recently ( well not that recently ) interested in vulnerabilities in wordpress, i think because of its popularity where thousands of webmasters/bloggers using it.

__________________

CrackFeed.Com

20 in week isn't a DDoS attack. LOL

Perhaps everyone should leave log analysis to the experts. 20 in a week, probably something harmless that you are not aware of.

A DDoS attack is comprised of THOUSANDS and TENS OF THOUSANDS within minutes to hours.

Keep banning ip addresses over foobar and watch as you eventually block the world.

If you secure your server and website software you will need not worry about blocking every ip that does something you do not recognize. There is a lot of legit activity that n00bs will see as "hack attempts" and it is quite humorous.
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

Step One: Stop using open source, if you have access to the vulnerabilities, then the script kiddies do too. Code your own stuff securely and correctly and never give anyone access to that code. That is the best first bet. Also do not use software that requires IONCube, if it is encrypted then you have no idea what the code really says. It could say "come hack my stuff by clicking here" for all you know.

denzuko

It's not about wordpress, joomla, or drupal.
It's about server security.

They rooted the server.

__________________
My Blog

CrackFeed.Com

Hey genius, how did they root the server to begin with?

No, there is no evidence based on what the poster said that allow for the assumption that the server has been compromized.

You need to read before you reply.

These are bots, nothing more. They are shooting in the dark and if you keep up to date and keep your security tight, they will accomlish nothing. It is no big deal that they do this, if you are secure.

shootdatarget

lol, roger that... seems i am got lots to learn
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

__________________

fm1234

posted by DomainHelper:
But ... your avatar said ...

Peter

So I take it you have ditched Linux and programmed your own operating system, ditched Apache and coded your own http server, ditched mySQL and coded your own SQL server, ditched PHP and programmed your own language (or better still programmed your sites in machine code or c) .....
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

Programming your own software is not necessarily going to make you secure. You state that if you can view the source so can others and find security holes, that is true but it is also true that those people who find the security hole could report it and it could be fixed quicker.

__________________
Manage your portfolio using my new Domain Portfolio Management script.
Securing Your Domain Name From Theft

defaultuser

It's mighty expensive to code everything yourself and you don't recommend buying code you can't see which makes this the only option. You could trust true third-party apps but I've yet to see evidence that a company product is that much more secure than major open source platforms.
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

Exploitation usually attacks the weakest point of any system - arrogance is one of easiest to spot AND easiest to exploit.

Open source works on the principle that there are more white hat than black hat hackers .. and this is after potentially 100s of people have potentially looked at the source.

I think you're being taken out of context though and you're talking about open source add ons developed by small teams and little review and this is something people should consider. You should be wary of what open source products you are using, stay up to date, and make a few simple changes (you can remove many indications that you are using wordpress/joomla/drupal with a few steps).

Most people get stuck where a poorly supported plugin prevents a major platform upgrade - this is something that crowd sourcing has yet to resolve. Consider even Firefox 5. Most people haven't upgraded due to some "add on". It's security vs other benefits. The other always wins until something happens.

This is true and important. It also means that you can't fulfill your desire of not sharing code to anyone else. You live in a one programmer / one installation environment because you can't share your code and advise people NOT to use encoded source.

It is essential that people DO NOT USE Templates with encoded source. These things are all over Usenet. Pay the $79 from a legitimate source... IP Theft is the #1 source for hackers to get access to your stuff.

__________________

alien51

Yes, shooting in the dark would be a hint that they're bots. Actually, most of the time my sites return a 404. And then a 403, based on my htaccess retriction settings.
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

But nonetheless, i don't feel comfortable just allowing a bot machine probe my sites over and over again like that with impunity, evenif i'm confident that i'm "secure". I'd rather block the IP and sleep soundly.

texasgamer

speaking of htaccess what is some good restriction setting to use?

__________________
Sara Palin

nielsencl

Glad you asked. We use many lines in our htaccess like:

deny from 1.
deny from 2.
deny from 109.
deny from 110.
deny from 111.
deny from 112.
deny from 113.
deny from 114.
deny from 115.
deny from 116.
deny from 117.21.
deny from 117.22.
deny from 117.23.
deny from 117.24.
deny from 117.25.
etc.

I will attach what we use in case someone else would like to block most non-US traffic to their site. This file has been built by hand over the past couple of years. When I get a spam or attack I check the IP whois and if it is non-us or a hosting company I add the IP range that contains what was used. [Caution: I cannot guarantee that some US ISP IPs won't be included. Use at your own risk or use it as a model to make your own list.]
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

We don't care about non-US traffic so we can just block large IP ranges that for sure not assigned to the US. We also block a lot of hosting company IP ranges. We do this on sites, but we also do this at the sever level for some accounts. We had CSF installed and block the same ranges, but with notation like "109.0.0.0/8".

When a country can't access your server or use it to relay spam, it really helps.

__________________
Lorraine Bowman - Internet Expert Witness - Bankrupture - Ad Creation Marketplace - How To Sell Domain Name

alien51

I sometimes do the same thing, example for the past 3 years almost all of the spam and hack bots i see on my logs come from Ukraine.
????: NamePros.com http://www.namepros.com/showthread.php?t=719319

There are also the Adsense-click-friendly countries to block.

Sometimes, however, i wonder if this is some kind of racial discrimination. lol

BY THE WAY......

My domains are being hammered repeatedly by this:

"/shop/admin/banner_manager.php/login.php?action=insert"

Any of you seeing this often as well??????

It's a good thing most of my domains are just 1-page plain HTML "for sale" pages. lol